ZERO-KNOWLEDGE AUTHENTICATION SCHEMES 
FROM ACTIONS ON GRAPHS, GROUPS, OR RINGS 
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Abstract. We propose a general way of constructing zero-knowledge authentication 
schemes from actions of a semigroup on a set, without exploiting any specific algebraic 
properties of the set acted upon. Then we give several concrete realizations of this 
general idea, and in particular, we describe several zero-knowledge authentication 
schemes where forgery (a.k.a. impersonation) is NP-hard. Computationally hard 
problems that can be employed in these realizations include (Sub)graph Isomorphism, 
Graph Colorability, Diophantine Problem, and many others. 



1. Introduction 

In this paper, we propose a general Feige-Fiat-Shamir-like [3] construction of a zero- 
knowledge authentication scheme from arbitrary actions. 

Suppose a (partial) semigroup S acts on a set X, i.e., for s,t € S and x € X, one 
has (st)(x) = s(t(x)) whenever both sides are defined. For cryptographic purposes, it 
is good to have an action which is "hard-to-invert". We deliberately avoid using the 
"one-way function" terminology here because we do not want to be distracted by formal 
definitions that are outside of the main focus of this paper. For a rigorous definition of 
a one-way function, we just refer to one of the well-established sources, such as [5]. It 
is sufficient for our purposes to use an intuitive idea of a hard-to-invert action which is 
as follows. Let X and Y be two sets such that complexity \u\ is defined for all elements 
u of either set. A function / : X — > Y is hard-to- invert if computing f(x) takes time 
polynomial in \x\ for any x € X (which implies, in particular, that complexity of f(x) is 
bounded by a polynomial function of \x\), but there is no known algorithm that would 
compute some f~ 1 (y) in polynomial time in \y\ for every y € f{X). 

In our context of actions, we typically consider hard-to-invert functions of the type 
f x : s — > s(x); in particular, a secret is usually a mapping, which makes our approach 
different from what was considered before. This idea allows us to construct a general 
Feige-Fiat-Shamir-like zero-knowledge authentication scheme from arbitrary actions, 
see the next Section [2j Then, in the subsequent sections, we give several concrete 
realizations of this general idea, and in particular, we describe several zero-knowledge 
authentication schemes where recovering the prover's secret key from her public key 
is an NP-hard problem. We note however that what really matters for cryptographic 
security is computational intractability of a problem on a generic set of inputs, i.e., the 
problem should be hard on "most" randomly selected inputs. For a precise definition of 
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the "generic-NP" class, we refer to [8]. Here we just say that some of the problems that 
we employ in the present paper, e.g. Graph Colorability, are likely to be generically 
NP-hard, which makes them quite attractive for cryptographic applications. 

We also address an apparently easier task of forgery (a.k.a. misrepresentation, a.k.a. 
impersonation), and show that in most of our schemes this, too, is equivalent for the 
adversary to solving an NP-hard problem. To be more specific, by forgery we mean 
the scenario where the adversary enters the authentication process at the commitment 
step, and then has to respond to the challenge properly. 

Finally, we note that there were other attempts at constructing zero-knowledge au- 
thentication schemes based on NP-hard problems (e.g. [I], [2]), but these constructions 
are less transparent, and it is not immediately clear how and why they work. 

2. TWO PROTOCOLS 

In this section, we give a description of two generic zero-knowledge authentication 
protocols. Here Alice is the prover and Bob the verifier. 

2.1. Protocol I. Suppose a set S acts on a set X, i.e., for any s £ S and x € X, the 
element s(x) € X is well-defined. 

(1) Alice's public key consists of sets S, X, an element x € X, and an element 
u = s(x) for some randomly selected s £ S, which is her private key. 

(2) To begin authentication, Alice selects an element t € S and sends the element 
v = t(s(x)) € X, called the commitment, to Bob. 

(3) Bob chooses a random bit c, called the challenge, and sends it to Alice. 

• If c = 0, then Alice sends the element t to Bob, and Bob checks if the 
equality v = t(u) is satisfied. If it is, then Bob accepts the authentication. 

• If c = 1, then Alice sends the composition ts to Bob, and Bob checks if the 
equality v = ts(x) is satisfied. If it is, then Bob accepts the authentication. 

2.2. Protocol II. In this protocol, the hardness of obtaining the "permanent" private 
key for the adversary can be based on "most any" search problem; we give some concrete 
examples in the following sections, whereas in this section, we give a generic protocol. 

(1) Alice's public key consists of a set S that has a property V. Her private key is 
a proof (or a "witness" ) that S does have this property. We are also assuming 
that the property V is preserved by isomorphisms. 

(2) To begin authentication, Alice selects an isomorphism (p : S — > Si and sends 
the set Si (the commitment) to Bob. 

(3) Bob chooses a random bit c and sends it to Alice. 

• If c = 0, then Alice sends the isomorphism ip to Bob, and Bob checks (i) if 
<p(S) = Si and (ii) if <p is an isomorphism. 

• If c = 1, then Alice sends a proof of the fact that Si has the property V 
to Bob, and Bob checks its validity. 

The following proposition says that in the Protocol II, successful forgery is equivalent 
for the adversary to finding Alice's private key from her public key, which is equivalent, 



3 



in turn, to giving a proof (or a "witness") that S does have the property V . The latter 
problem can be selected from a large pool of NP-hard problems (see e.g. (4]). 

Proposition 1. Suppose that after several runs of steps (2)-(3) of the above Protocol II, 
both values of c are encountered. Then successful forgery in such a protocol is equivalent 
to finding a proof of the fact that S has the property V . 

Proof. Suppose Eve wants to impersonate Alice. To that effect, she interferes with the 
commitment step by sending her own commitment S[ to Bob. Since she should be 
prepared to respond to the challenge c = 0, she should know an isomorphism ip' : S — > 
S[. On the other hand, since she should be prepared for the challenge c = 1, she should 
know a proof of the fact that S[ has the property V. Therefore, since ip' is invertible, 
this implies that she can produce a proof of the fact that S has the property V . This 
completes the proof in one direction. 

The other direction is trivial. □ 

Remark 1. We note that finding a proof of the fact that a given S has a property V is 
not a decision problem, but rather a search problem (sometimes also called a promise 
problem), so we cannot formally allocate it to one of the established complexity classes. 
However, we observe that, if there were an algorithm A that would produce, for any S 
having a property V , a proof of that fact in time bounded by a polynomial P(\S\) in 
the "size" \S\ of S, then, given an arbitrary S' , we could run the algorithm A on S' , 
and if it would not produce a proof of S' having the property V after running over the 
time P(\S'\), we could conclude that S' does not have the property V , thereby solving 
the corresponding decision problem in polynomial time. 

3. Graph isomorphism 

In this section, we describe a realization of the Protocol I from Section [2] (actually, 
it also fits in with the Protocol II), based on the Graph Isomorphism problem. We 
note that this decision problem is in the class NP, but it is not known to be NP-hard. 
Moreover, generic instances of this problem are easy, because two random graphs are 
typically non-isomorphic for trivial reasons. However, the problem that we actually 
use in the protocol below, is a promise problem: given two isomorphic graphs, find a 
particular isomorphism between them. This is not a decision problem; therefore, if we 
want to allocate it to one of the established complexity classes, we need some kind of 
"stratification" to convert it to a decision problem. This can be done as follows. Any 
isomorphism of a graph T on n vertices can be identified with a permutation of the 
tuple (1,2, ... ,n), i.e., with an element of the symmetric group S n . If we choose a set of 
generators {gi} of S n , we can ask whether or not there is an isomorphism between two 
given graphs T and T\, which can be represented as a product of at most k generators 
gi. To the best of our knowledge, the question of NP-hardness of this problem has not 
been addressed in the literature, but it looks like a really interesting and important 
problem. 

(1) Alice's public key consists of two isomorphic graphs, T and T\, and her private 
key is an isomorphism cp : T —* T±. 
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(2) To begin authentication, Alice selects an isomorphism ip : T\ — ► T2, and sends 
the graph T2 (the commitment) to Bob. 

(3) Bob chooses a random bit c and sends it to Alice. 

• If c = 0, then Alice sends the isomorphism ip to Bob, and Bob checks if 
ip(Ti) = T2 and if ip is an isomorphism. 

• If c = 1, then Alice sends the composition ip<p = ip(tp) to Bob, and Bob 
checks if ipipiT) = T2 and if iptp is an isomorphism. 

A couple of comments are in order. 

• As it is usual with Feige-Fiat-Shamir-like authentication protocols, steps (2)-(3) 
of this protocol have to be iterated several times to prevent a successful forgery 
with non-negligible probability. 

• When we say that Alice "sends" (or "publishes") a graph, that means that Alice 
sends or publishes its adjacency matrix. Thus, the size of Alice's public key is 
2n 2 , where n is the number of vertices in T. 

• When we say that Alice sends an isomorphism, that means that Alice sends a 
permutation of the tuple (1,2,..., n), where n is the number of vertices in the 
graph in question. Thus, the size of Alice's private key is approximately n log n. 

• When we say that Alice "selects an isomorphism" , that means that Alice selects 
a random permutation from the group S n ; there is extensive literature on how 
to do this efficiently, see e.g. 

Proposition 2. Suppose that after several runs of steps (2)-(3) of the above protocol, 
both values of c are encountered. Then successful forgery in such a protocol is equivalent 
to finding an isomorphism between T and T\. 

Proof. Suppose Eve wants to impersonate Alice. To that effect, she interferes with 
the commitment step by sending her own commitment V 2 to Bob. Since she should 
be prepared to respond to the challenge c = 0, she should know an isomorphism ip' 
between T and V 2 . On the other hand, since she should be prepared for the challenge 
c = 1, she should be able to produce the composition ip'ip = ip'(ip). Since she knows 
ip' and since ip' is invertible, this implies that she can produce ip. This completes the 
proof in one direction. 

The other direction is trivial. □ 

4. Subgraph isomorphism 

In this section, we describe another realization of the Protocol I from Section^ based 
on the Subgraph Isomorphism problem. It is very similar to the Graph Isomorphism 
problem, but it is known to be NP-hard, see e.g. [H Problem GT48]. We also note that 
this problem contains many other problems about graphs, including the Hamiltonian 
Circuit problem, as special cases. The problem is: given two graphs T\ and T2, find 
out whether or not T\ is isomorphic to a subgraph of IV The relevant authentication 
protocol is similar to that in Section [3l 

(1) Alice's public key consists of two graphs, T and A\. Alice's private key is a 
subgraph I?i of Ai and an isomorphism ip : V — ► T±. 
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(2) To begin authentication, Alice selects an isomorphism if; : A\ — > T2, then em- 
beds T2 into a bigger graph A2, and sends the graph A2 (the commitment) to 
Bob. 

(3) Bob chooses a random bit c and sends it to Alice. 

• If c = 0, then Alice sends the subgraph T2 and the isomorphism ip to Bob, 
and Bob checks if V'(A-i) = T2 and if ip is an isomorphism. 

• If c = 1, then Alice sends the subgraph T2 and the composition ip(p = 
ip{ip) to Bob, and Bob checks whether ipLp(T) = T2 and whether ipip is an 
isomorphism. 

Again, a couple of comments are in order. 

• The Subgraph Isomorphism problem is NP-complete, see e.g. [4]. 

• When we say that Alice "sends a subgraph" of a bigger graph, that means 
that Alice sends the numbers {mi, m2, • • • , rn n } of vertices that define this sub- 
graph in the bigger graph. When she sends such a subgraph together with 
an isomorphism from another (sub)graph, she sends a map (k\, ft2, • • • , k n ) — > 
(mi,m2, . . . , m n ) between the vertices. 

• Compared to the protocol in Section[3j the size of Alice's public key is somewhat 
bigger because Alice has to embed one of the isomorphic graphs into a bigger 
graph. The size of Alice's private key is about the same as in the protocol of 
Section O 

5. Graph colorability 

Graph colorability (more precisely, /c-colorability) appears as problem [GT4] on the 
list of NP-complete problems in [4j. We include an authentication protocol based on 
this problem here as a special case of the Protocol II from Section We note that a 
(rather peculiar) variant of this problem was shown to be NP-hard on average in [12] 
(the latter paper deals with edge coloring though). 

(1) Alice's public key is a /c-colorable graph T, and her private key is a A;-coloring 
of r, for some (public) k. 

(2) To begin authentication, Alice selects an isomorphism tjj : T — > T\, and sends 
the graph Ti (the commitment) to Bob. 

(3) Bob chooses a random bit c and sends it to Alice. 

• If c = 0, then Alice sends the isomorphism ip to Bob. Bob verifies that ip 
is, indeed, an isomorphism from V onto T\. 

• If c = 1, then Alice sends a fc-coloring of Ti to Bob. Bob verifies that this 
is, indeed, a /c-coloring of T\. 

Again, a couple of comments are in order. 

• It is obvious that if V is /c-colorable and T\ is isomorphic to V, then T\ is 
A;-colorable, too. 

• When we say that Alice "sends a fc-coloring" , that means that Alice sends a set 
of pairs (vi,rii), where Vi is a vertex and n, are integers between 1 and k such 
that, if vi is adjacent to Vj, then ^ nj. 
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• Alice's algorithm for creating her public key (i.e., a A:-colorable graph T) is as 
follows. First she selects a number n of vertices; then she partitions n into a 
sum of k positive integers: 71 = 711 + .. . + nk- Now the vertex set V of the graph 
r will be the union of the sets Vi of cardinality nj. No two vertices that belong 
to the same Vi will be adjacent, and any two vertices that belong to different 
Vi will be adjacent with probability ^. The /c-coloring of V) is then obvious: all 
vertices in the set Vi are colored in color i. 

Proposition 3. Suppose that after several runs of steps (2)-(3) of the above protocol, 
both values of c are encountered. Then successful forgery is equivalent to finding a 
k- coloring ofT. 

The proof is almost exactly the same as that of Proposition [2j 

6. Endomorphisms of groups or rings 

In this section, we describe a realization of the Protocol II (it also fits in with the 
Protocol I) from Section [2] based on an algebraic problem known as the endomorphism 
problem, which can be formulated as follows. Given a group (or a semigroup, or a 
ring, or whatever) G and two elements g,h € G, find out whether or not there is an 
endomorphism of G (i.e., a homomorphism of G into itself) that takes g to h. 

For some particular groups (and rings), the endomorphism problem is known to be 
equivalent to the Diophantine problem (see [9j [10] ) , and therefore the decision problem 
in these groups is algorithmically unsolvable, which implies that the related search 
problem does not admit a solution in time bounded by any recursive function of the 
size of an input. 

Below we give a description of the authentication protocol based on the endomor- 
phism problem, without specifying a platform group (or a ring), and then discuss 
possible platforms. 

(1) Alice's public key consists of a group (or a ring) G and two elements g,h € G, 
such that (p(g) = h for some endomorphism ip £ End{G). This <p is Alice's 
private key. 

(2) To begin authentication, Alice selects an automorphism ip of G and sends the 
element v = ip(h) (the commitment) to Bob. 

• If c = 0, then Alice sends the automorphism ip to Bob, and Bob checks 
whether v = ip(h) and whether ip is an automorphism. 

• If c = 1, then Alice sends the composite endomorphism ipip = ip(<p) to Bob, 
and Bob checks whether ip(p(g) = v and whether ipip is an endomorphism. 

Here we point out that checking whether a given map is an endomorphism (or an 
automorphism) depends on how the platform group G is given. If, for example, G is 
given by generators and defining relators, then checking whether a given map is an 
endomorphism of G amounts to checking whether every defining relator is taken by 
this map to an element equal to 1 in G. Thus, the word problem in G (see e.g. [7] or 
[8]) has to be efficiently solvable. 
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Checking whether a given map is an automorphism is more complex, and there is no 
general recipe for doing that, although for a particular platform group that we describe 
in subsection 16.11 this can be done very efficiently. In general, it would make sense for 
Alice to supply a proof (at the response step) that her tjj is an automorphism; this proof 
would then depend on an algorithm Alice used to produce ip. 

Proposition 4. Suppose that after several runs of steps (2)-(3) of the above protocol, 
both values of c are encountered. Then successful forgery is equivalent to finding an 
endomorphism if such that ip(g) = h, and is therefore NP-hard in some groups (and 
rings) G. 

Again, the proof is almost exactly the same as that of Proposition [2j We also 
note that in [6], a class of rings is designed for which the problem of existence of an 
endomorphism between two given rings from this class is NP-hard. 

A particular example of a group with the NP-hard endomorphism problem is given 
in the following subsection. 

6.1. Platform: free metabelian group of rank 2. A group G is called abelian (or 
commutative) if [a, b] = 1 for any a,b £ G, where [a, b] is the notation for a~ 1 b~ 1 ab. This 
can be generalized in different ways. A group G is called metabelian if [[x,y], [z,t]] = 1 
for any x,y,z,t € G. The commutator subgroup of G is the group G' = [G,G] 
generated by all commutators, i.e., by expressions of the form [u, v] = u~ 1 v~ 1 uv, where 
u, v 6 G. The second commutator subgroup G" is the commutator of the commutator 
of G. 

Definition 1. Let F n be the free group of rank n. The factor group F n /F" is called 
the free metabelian group of rank n, which we denote by M n . 

Roman'kov [TO] showed that, given any Diophantine equation E, one can efficiently 
(in linear time in the "length" of E) construct a pair of elements u, v of the group M2, 
such that to any solution of the equation E, there corresponds an endomorphism of 
M2 that takes u to v, and vice versa. Therefore, there are pairs of elements of M2 for 
which the endomorphism problem is NP-hard (see e.g. [U Problem AN8]). Thus, if a 
free metabelian group is used as the platform for the protocol in this section, then, by 
Proposition [U forgery in that protocol is NP-hard. 

6.2. Platform: Z*. Here the platform group is Z*, for a prime p. Then, since Z*_ x 
acts on Z* by automorphisms, via the exponentiation, this can be used as the platform 
for the Protocol I. In this case, forgery is equivalent to solving the discrete logarithm 
problem, by Proposition 01 
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